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EXECUTIVE SUMMARY 


This report documents initial findings in an ongoing forensic examination of the voting systems of Mesa County, 
Colorado, used in the November, 2020 General Election. These voting systems represent a portion of overall election 
systems infrastructure, and this report is limited to the findings of an ongoing investigation. The findings in this report 
were prepared by the cyber forensic expert retained to advise the County Clerk pursuant to her duties as the county’s 
Chief Election Official as part of the impacted parties' legal team. 


Federal law requires the preservation of election records — which includes records in electronic or digital form — for 
twenty-two months after an election. Colorado law requires the preservation of election records for an additional 
three months beyond the Federal requirement. The obligation to ensure the integrity of elections and that all election 
records are preserved pursuant to federal and state law falls to the elected Clerk & Recorder. This report, the first of 
several, is based on examination of the data obtained from forensic images of the Dominion Voting System EMS 
server last used in Mesa County for the November, 2020, election, images taken in furtherance of the preservation 
requirements of federal and state law. Based upon information received by the Clerk's office from various sources in 
early 2021, the Clerk became concerned that the voting system modifications might jeopardize these preservation 
and other legal requirements under the responsibility of the County Clerk. For this reason the Clerk ensured a full 
backup of election records from the County voting systems, both before and after the software modification 
performed by the vendor and the Secretary of State on May 25-26, 2021, just six months after the November, 2020, 
election. 


Forensic examination’ found that election records, including data described in the Federal Election Commission's 
2002 Voting System Standards (VSS) mandated by Colorado law as certification requirements for Colorado voting 
systems, have been destroyed on Mesa County's voting system, by the system vendor and the Colorado Secretary of 
State's office. Because similar system modifications were reportedly performed upon county election servers across 
the state, it is possible, if not likely, that such data destruction in violation of state and federal law has occurred in 
numerous other counties. 


The extent and manner of destruction of the data comprising these election records is consequential, precluding the 
possibility of any comprehensive forensic audit of the conduct of any involved election. This documented destruction 
also undermines the conclusion that these Colorado voting systems and accompanying vendor and Colorado 
Secretary of State-issued procedures could meet the requirements of Colorado and Federal law, and consequently 
vitiates the premise of the Colorado Secretary of State certification of these systems for use in Colorado. 


Two backup images, using forensic imaging methods, were obtained from the Dominion Voting Systems (DVS) 
Democracy Suite (D-Suite) Election Management System (EMS) Standard Server in Mesa County, Colorado. The first 
image was made of that EMS Standard Server in the D-Suite 5.11-CO version configuration, as used in the November, 
2020 election. The second image was of the configuration of the EMS Standard Server in the D-Suite 5.13 version 
configuration, following the modification of the EMS Standard Server by a combined team of DVS vendor personnel 
and Colorado Secretary of State staff. The forensic information provided in this report is presented using screenshots 
from forensic analysts' systems running industry-standard forensics software tools. The report includes "before" and 
"after" screenshots from the forensic tool that shows the differences between the two backup images. 


The forensic examination found that numerous logfiles had been deleted or overwritten. These logfiles are required 
to reconstruct the function of and events taking place on the the voting systems, and based upon information 


2 Many individuals and organizations, some public officials, have made recent claims that no audit performed nor examination 
conducted on elections or computer-based election systems can be legitimate or credible unless the examiners are “election 
experts” or accredited election auditors. There is no such thing as an “accredited election auditor,” nor are there Federal 


standards or procedures to credential election auditors. 
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provided by legal counsel, must, by law, be preserved. By comparing filenames in the two images (before and after 
the Dominion update on May 25-26, 2021), examination and analysis identified a total of 28,989 files that were 
deleted. During a software update, some replacement of program files and their related content is normally 
expected. However the examination found that 695 log and event log files necessary for the determination of 
election integrity were deleted. 


Based upon information provided by legal counsel, Colorado law (Colorado Revised Statute (CRS) § 1-5-601.5) 
requires that, prior to use in Colorado elections, electronic and computer-based voting systems be certified by the 
Colorado Secretary of State. This certification is based on the systems’ compliance with the requirements of the 
Federal Electon Commission’s 2002 Voting System Standards (VSS), verified by their testing by a Federally-accredited 
(by vote of the U.S. Election Assistance Commission (EAC)) Voting System Testing Lab (VSTL). While several iterations 
of newer Voluntary Voting System Guidelines (VVSG) have been issued by the EAC, Colorado’s statutory requirement 
is for compliance with 2002 VSS, which states: 


"Election audit trails provide the supporting documentation for verifying the accuracy of reported 
election results. They present a concrete, indestructible archival record of all system activity related 
to the vote tally, and are essential for public confidence in the accuracy of the tally, for recounts, and 
for evidence in the event of criminal or civil litigation." 


The relevant sections of the VSS are cited in Appendix Е. 


These statutory requirements establish that voting systems are required to generate and preserve, as critical to the 
ability to determine and reproduce the conditions and details of election conduct using these systems, logfiles of all 
system functions, including normal activity, connectivity, file and data access, operator- and automated-processes, 
and errors. Logfiles are critical to the ability to detect improper operation, including the ability to detect malicious 
intrusions as well as other improper activities and conditions, and configuration changes that could enable alteration 
of the actual vote count. 


Assuming this information to be correct, this forensic examination found that a substantially large number of these 
requirements have not been met. This examination also found that destruction of critical logfiles has occurred. This 
destruction is not incidental or minor but is extensive. 


The purpose of this initial report is to document these findings and present preliminary evidence demonstrating 
unacceptable conduct and system defects revealed by the examined images, as necessary for the Chief Election 
Official to discharge her statutory obligations. The facts and resultant findings support the conclusions that: 


1) Election-related data explicitly required to be preserved, as stated in the 2002 VSS criteria referenced in 
this section, have been destroyed in violation of Federal and State law, and 


2) Due to non-compliance with the 2002 VSS requirements, these voting systems and accompanying 
vendor-provided, Colorado Secretary of state-approved procedures cannot meet the certification 
requirements of the State of Colorado, and should not have been certified for use in the state. 


Comprehensive investigation is required to determine whether these critical failures are the result of malicious intent 
or negligence, and to what extent the systems may have been compromised or subjected to unauthorized access or 
operation prior to, during, and after election use. That comprehensive investigation is beyond the scope of this report. 
Subsequent reports will address these issues in detail. 


Evidence supporting all of these findings is documented in this report. 
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Introduction 


Election officials, including Secretaries of State, are obligated by law to ensure the integrity of all elections, including 
the transparency required for citizens to verify that integrity themselves. Modern electronic voting systems are 
marketed as an efficient solution to streamline the voting process and allow for automated collection, tabulation, 
and reporting of election results, but the efficiency they promise comes at a cost. 


The necessary measures and safeguards to ensure the integrity of the systems and their operation against a severe, 
mounting and ever-evolving threat from sophisticated nation-state and non-nation-state actors are so complex and 
dynamic as to outpace the limited capabilities and resources of our government, at all levels. While minimal security 
safeguards may be within government capacity, modern computer-based voting systems are extremely complex and 
difficult to secure, even for cybersecurity experts, and since voting systems are not under the direct control of the 
Federal government's top security experts, any government assurances about the sufficiency of those safeguards can 
serve only to mislead citizens and policy-makers. Even critical defense systems, relentlessly monitored and defended 
by highly-trained teams using costly, sophisticated tools, are at risk and are frequently compromised, sometimes 
before procurement. Earlier generations of voting systems relied on simple, human-scale safeguards, for example 
"air gaps"- that is – to have no wired network connection to the system. But miniaturized wireless communication 
technologies and networks have proliferated, with billions of wireless devices installed or in use, and malicious actors 
have developed sophisticated attacks to bypass air gaps, compromise every kind of hardware, firmware, and 
software, often before they even come into customer or user possession, and to move laterally through networked 
systems, often undetected. Supply-chains for these systems, from the initiation of the design of integrated circuits 
and electronic components, most manufactured overseas with little U.S. insight or oversight, through the fabrication, 
testing, assembly, integration, and operation of these complex composite systems, are vulnerable and untrustworthy 
for critical functions of government and lucrative economic and national security targets. For all these reasons 
logfiles, such as those that have been deleted by the Dominion "Trusted Build" update must be preserved to 
document the complete operation of the computer system and voting applications, and to be able to verify the 
authenticity, integrity and accuracy of the vote. 


The feature size of individual circuits in the chipsets and components of our voting system computers is at the 
nanoscale, smaller than the smallest known virus particle, and less than 3/10,000ths of the width of a human hair. 
So we have lost the ability, if we ever had it, to visually verify what is really happening, even at the physical level, in 
our computer-based voting system. Regardless of how the systems appear to be configured to authorized users and 
poll-watchers, the functionality and connectivity in these computers can be enabled and modified remotely and 
wirelessly, or by the introduction of embedded codes on scanned paper, or triggered by specific unforeseeable and 
indiscernible predetermined software and hardware conditions, or by specific timing events, or by geographic 
location, or by the proximity of other devices or combinations of any of these means. 


For example, some Colorado voting systems ordered as specified by the voting system vendors, from foreign 
manufacturing and assembly facilities, have included "Integrated Dell Remote Access Controllers (IDRAC)," which are 
designed to allow "out-of-band" remote management of those systems, meaning that the computers are explicitly 
equipped to be controlled by remote automated programs or by individuals other than those logged in locally. 
Through the IDRAC, voting systems might have any aspect of their Basic Input/Output System (BIOS), operating 
system, or applications controlled or modified, including the addition and deletion of user accounts, the enabling of 
communications components like wireless networking cards, and the modification, installation, removal or 
configuration of software and settings. Like the inclusion of multi-band wireless networking cards, similarly specified 
and ordered for Colorado voting systems by the vendor, there is no excuse or rational justification for the inclusion 
of components like these, and the fact that the entirety of U.S. voting system regulatory processes and institutions 
can apparently neither detect, note, nor address these gross vulnerabilities eviscerates the notion that our computer- 


based voting systems have been secured. 
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Faced with incredible miniaturization, the importance of logfiles which are records of operation of a computer 
system, are more important than ever in managing this technology. When the computer is part of a national critical 
infrastructure, these operational records become essential, not only for troubleshooting or security alone, but for 
the integrity of the system itself as a component of the National Critical Infrastructure. 


For the purposes of this document and ensuing discussion, two terms are defined to differentiate and clarify the 
evidentiary findings. Election Data is all information regarding Ballot Design, Ballot Marking, Electronic scanning of 
completed ballots, interpretation of the intention of each voter's choice, including human, machine generated or 
programatic adjudication in the event that the election system is unable to determine conclusively the correct vote 
input from any specific ballot, tabulation of the actual vote including the databases used to actually contain the raw 
vote totals, scanned ballot images and Voter Registration and Voter identification information associated with any 
specific election, as well as the actual vote totals. This includes a complete record of any realtime changes in 
databases resident in the cloud such as voter registration data. Election-Related Data includes all of the computer 
log and configuration data that document the complete configuration state and operation of the entire computer 
system and infrastructure upon which Election Software is executed, as well as the operating system of devices that 
store log and election data such as Network Attached Storage (NAS). Also included in Election-Related data are logs 
and configuration of network Routers, Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, and 
other network security devices, including VPNs and more’. 


Both Election Data AND Election-Related Data must be preserved as “Election Records” under the law, and this is 
broadly addressed in both the 2002 VSS and the EAC’s successor versions of VVSG. 


Securing computer systems is a non-trivial task. It involves a litany of processes, including, but not limited to: 
* Engineering systems with a focus on security 
* Building systems to meet published high-security standards and applicable regulations 
e Patching systems to ensure that vulnerabilities are removed 
* Securing networks to ensure highly controlled access 
* Logging of all communications, processes, access, system modifications 
e Auditing of systems and logs regularly to ensure ongoing compliance 
e Adequate training and certification for engineers, administrators, and system users 


e Adherence to Industry Best Practices, for example, emphasis on password strength and configured security 
and group policies 


These, among other measures, will help to ensure what is known as the CIA triad. The CIA triad represents the three 
pillars of information security: confidentiality, integrity, and availability, as follows: 


? Log and configuration examination of not only the computer system(s) but also all network systems are critical to forensic 
examination. Compromise of any unrelated information (e.g. plain-text cofiguration data containing normally-encrypted 
passwords) can be easily prevented, so long as simple, quick forensic examiner and cyber professional industry standards are 


used to obfuscate private and sensitive data from the network device files. 
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Confidentiality — preserving authorized restrictions on information access and disclosure, 
including means for protecting personal privacy and proprietary information 


Integrity — guarding against improper information modification or destruction and ensuring 
information non-repudiation and authenticity 


Availability - ensuring timely and reliable access to and use of information 


Failure in any of the three pillars can and generally will result in a compromise of the system, Failure in the integrity 
component can have dire consequences for public perception, election results, the future of our government and our 
country. 


Industry-standard forensics analysis tools were applied to the forensic examination. 


Information was forensically evaluated using backup images taken from a Mesa County Election server configured 
for DVS D-Suite 5.11-CO on Sunday, May 23, 2021, before its modification by Dominion Voting Systems and the 
Colorado Secretary of State to DVS D-Suite 5.13, and again on Wednesday, May 26, 2021, after the update had been 
applied. This server was the primary system that was used to process election data in Mesa County for the 2020 
general election.The EMS server configuration and administrative standards were prepared by Dominion Voting 
Systems (DVS), running a combination of COTS and proprietary DVS software, and certified for use by the Colorado 
Secretary of State. Our conclusions include determining that this system not only failed to meet any reasonable 
standard or statutory requirement for cybersecurity but was also subject to removal of critical information (data 
destruction). 


Our findings include serious irregularities that resulted in the loss of data integrity on the server, including election 
data and election-related data. 


LEGAL REFERENCES 


Several Federal and Colorado state legal standards apply to the preservation and definition of election records, 
applicable to the data generated by and resident on voting systems. Beginning with 52 USC 820701, retention and 
preservation of records and papers by officers of elections; deposit with custodian; penalty for violation, which states: 


Every officer of election shall retain and preserve, for a period of twenty-two months from the date of any 
general, special, or primary election of which candidates for the office of President, Vice President, 
presidential elector, Member of the Senate, Member of the House of Representatives, or Resident 
Commissioner from the Commonwealth of Puerto Rico are voted for, all records and papers which come into 
his possession relating to any application, registration, payment of poll tax, or other act requisite to voting in 
such election, except that, when required by law, such records and papers may be delivered to another officer 
of election and except that, if a State or the Commonwealth of Puerto Rico designates a custodian to retain 
and preserve these records and papers at a specified place, then such records and papers may be deposited 
with such custodian, and the duty to retain and preserve any record or paper so deposited shall devolve upon 
such custodian. Any officer of election or custodian who willfully fails to comply with this section shall be 
fined not more than $1,000 or imprisoned not more than one year, or both. 


In addition to 52 USC 820701, multiple sections of Colorado Revised Statutes (CRS) appear applicable, including: 
CRS 1-5-601.5. Compliance with federal requirements (Effective until July 1, 2022) 


All voting systems and voting equipment offered for sale on or after May 28, 2004, shall meet the voting 
systems standards that were promulgated in 2002 by the federal election commission. At his or her 
discretion, the secretary of state may require by rule that voting systems and voting equipment satisfy voting 
systems standards promulgated after January 1, 2008, by the federal election assistance commission as long 
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as such standards meet or exceed those promulgated in 2002 by the federal election commission. Subject to 
section 1-5-608.2, nothing in this section shall be construed to require any political subdivision to replace a 
voting system that is in use prior to May 28, 2004. 


CRS 1-7-802. Preservation of election records 


The designated election official shall be responsible for the preservation of any election records for a period 
of at least twenty-five months after the election or until time has expired for which the record would be 
needed in any contest proceedings, whichever is later. Unused ballots may be destroyed after the time fora 
challenge to the election has passed. If a federal candidate was on the ballot, the voted ballots and any other 
required election materials shall be kept for at least twenty-five months after the election. 


1-13-716. Destroying, removing, or delaying delivery of election records 


(1) No person shall willfully destroy, deface, or alter any ballot or any election records or willfully delay the 
delivery of any such ballots or election records, or take, carry away, conceal, or remove any ballot, ballot box, 
or election records from the polling location or drop-off location or from the possession of a person 
authorized by law to have the custody thereof, or aid, counsel, procure, advise, or assist any person to do 
any of the aforesaid acts. 


(2) No election official who has undertaken to deliver the official ballots and election records to the county 
clerk and recorder shall neglect or refuse to do so within the time prescribed by law or shall fail to account 
fully for all official ballots and other records in his charge. Informality in the delivery of the ballots and election 
records shall not invalidate the vote of any precinct if such records are delivered prior to the canvassing of 
the votes by the county board of canvassers. 


(3) Any person who violates any provision of this section is guilty of a misdemeanor and, upon conviction 
thereof, shall be punished as provided in section 1-13-111. 


And several sections of the Code of Colorado Regulations appear applicable, including: 


8 CCR 1505-1, Rule 21, 21.4.2: All voting systems must meet the requirements of the 2002 Voting Systems 
Standards, parts 5 — 7 of article 5 of title 1, CRS, as amended, and this Rule 21. 
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FORENSIC EXAMINATION AND ANALYSIS REPORT 
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FORENSIC ANALYSIS 


SYSTEM IDENTIFICATION 


The server that was analyzed is capable of operating on a small local area network (LAN). The network consists of 
several systems, including servers and workstations running in a non-virtualized environment. The server that we 
evaluated was named EMSSERVER. It is running the Microsoft Windows Server 2016 Standard operating system. 


The forensic evaluation and reviews were based upon a forensic image archive collected from the Mesa County 
Dominion EMS Server. The Before and After forensic images were collected from the same server and same hard 
drive, as documented below, from the actual acquisition. The serial number of the hard drive shown in each 
collection data set verifies the data origin to be the same physical device. 


Figure 1 — EMS Server (5.11-CO) Image Attributes Before 


Created By AccessData® FTK® Imager 4.2.0.13 


Case Information: 

Acquired using: ADI4.2.0.13 
Case Number: 052321 

Evidence Number: 00003 
Unique description: EMSSERVER 


Information for F:\EMSSERVER\EMSSERVER: 


Physical Evidentiary Item (Source) Information: 
[Device Info] 

Source Type: Physical 

[Drive Geometry] 

Cylinders: 121,534 

Tracks per Cylinder: 255 
Sectors per Track: 63 

Bytes per Sector: 512 

Sector Count: 1,952,448,512 
[Physical Drive Information] 

Mod DELL РЕКС H730 A 


Removable drive: False 
Source data size: 953344 MB 


Sector count: 1952448512 
[Computed Hashes] 
MD5 checksum: 3d7cf05ca6e42db765bf5c15220c097d 


5НА1 checksum: eab06a7ea23586de2746b9142461717e075f5c9f 


Image Information: 

Acquisition finished: Sun May 23 2021 
Segment list: 

Е: \EMSSERVER\EMSSERVER.E01 
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Figure 2 - EMS Server (5.13) Image Attributes After 


Created By AccessData® FTK® Imager 4.2.0.13 


Case Information: 

Acquired using: ADI4.2.0.13 

Case Number: 052621 

Evidence Number: 00002 

Unique description: EMSSERVER_v2 


Information for E:\Mesa\EMSSERVER_v2: 


Physical Evidentiary Item (Source) Information: 
[Device Info] 

Source Type: Physical 

[Drive Geometry] 

Cylinders: 121,534 

Tracks per Cylinder: 255 

Sectors per Track: 63 

Bytes per Sector: 512 

Sector Count: 1,952,448,512 

[Physical Drive Information] 

e Mode DELL PERC H730 A SCSI Disk Device 


Removable drive: False 
Source data size: 953344 MB 


Sector count: 1952448512 
[Computed Hashes] 
MDS checksum: 52861d5a7750ab535a9d5£7277469c10 


SHA1 checksum: 1bf8f22edb37f72bb29428a591046a1f64279a3f 


Image Information: 

Acquisition finished: Wed May 26 2021 
Segment list: 
Е: \Mesa\EMSSERVER_v2.E01 
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Two backup images were obtained, using forensic imaging methods, from the Dominion Voting Systems (DVS) 
Democracy Suite (D-Suite) Election Management System (EMS) Standard Server in Mesa County, Colorado. The first 
image was made of that EMS Standard Server in the D-Suite 5.11-CO version configuration, as used in the November, 
2020 election on May 23, 2021. The second image was of the configuration of the EMS Standard Server in the D-Suite 
5.13 version configuration, following the modification of the EMS Standard Server by a combined team of Dominion 
Voting System vendor personnel and Colorado Secretary of State (SecState) staff, on May 26, 2021. A forensic image 
(forensic copy) is a bit-by-bit, sector-by-sector duplicate of a physical storage device using specialized hardware and 
software; it is a much more comprehensive representation of the state and configuration of the imaged system than 
could be obtained using simple file backup methods. The images include all files, folders, and unallocated, free, and 
slack space. These forensic images include not only all the files visible to the server operating system but also deleted 
files and fragments of files left in the slack and free space but every digital bit of data present on the storage medium, 
in this case, a SCSI hard disk. When forensic images are acquired, a hash function, also known as a Message Digest, is 
computed. This hash can be used at any time to validate the integrity of the image to ensure that it has not been 
edited, modified, or changed in any way. The hash function result from the acquisition of data appears in the text 
above but also appears inside each respective archive and authenticates the data by demonstrating that it has not 
changed since it was acquired. 


These two images were evaluated to gather technical information, including the integrity of the data stored on the 
system. No effort was made to reverse-design, de-compile or reverse-engineer the Dominion software. 
Configuration, which is relevant to the operation of the system, was examined to determine whether improper 
settings could allow undesirable results and were found to contain such errors. Results relevant to this investigation 
are documented below. Additional supporting documentation can be found in the appendixes. They include directory 
listings for many of the directories seen in the screenshots and contain complete filenames, full path names where 
the files are located, and file hashes. 


We have included screenshots that can be used to review and verify these findings. These screenshots were obtained 
from the forensic images of the Dominion server. 


AUTHENTICITY AND CHAIN OF CUSTODY 


Digital chain of custody is the record of preservation of digital evidence from collection to presentation in the court 
of law. This is an essential part of the digital investigation process. The chain of custody is probative that the digital 
evidence presented to the court remains as originally collected, without tampering. The two images analyzed in this 
report were obtained through AccessData FTK Imager 4.2.0.13. The serial number on the EMS Server drive on both 
images match, thus establishing that both images were taken from the same physical drive. | have reviewed the 
documented chain of custody for both images and have determined that the chain of custody is complete from the 
forensic operator utilizing ЕТК Imager through the source from which | directly received these images. (Because of 
the pending civil litigation and criminal investigation, the written documentation remains in the custody of counsel 
for later introduction in court proceedings and thus cannot be released as part of this report.) Further confirmation 
that these are genuine images from the Mesa County EMS Server has been provided by the Colorado Secretary of 
State's office. See: 


https://www.sos.state.co.us/pubs/newsRoom/pressReleases/2021/PR20210817MesaCounty.html 
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Overview of System Data Sources 
Figure 3 — EMS Server (5.11-СО) System Data Sources Before 
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Figure 4 - EMS Server (5.13) System Data Sources After 


Г] 


| eene: ^ 
| очаам sz ve rmn шк = 


каат: юли 
et нев 252,907 | 
recone 185.445 


CASE 0:22-cv-02290-ECT-ECW Doc. 35-3 Filed 09/30/22 Раде 16 of 47 


Server Disk Partition Structure Overwritten 
Purpose: Тһе disk partition structure is the structure of how the hard drive is divided up. 


Figure 5 - EMSSERVER (5.11-CO) Disk Partition Structure Before 
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Figure 7 - Server Disk Partition and Directory Changes 
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Before Dominion Update After Dominion Update 


Computer hard disk drives are data storage devices that must be prepared before use — specifically, they must be 
partitioned into logical disk volumes and then formatted. Partitioning a hard disk drive is the equivalent of scoring 
horizontal and vertical rule lines onto blank paper, and then numbering each line, preparing that paper for the orderly 
recording and look-up of information. A disk is partitioned to organize information into sets of related data. A 
partition creates a logical drive, C:, D:, E:, etc., that the Master Boot Record (MBR) or Globally Unique Identifier (GUID) 
Partition Table, which are like maps of the partitioned and formatted memory storage locations on the hard drive, 
can then use to write and read stored data. 


Creation of such a partition, if previous partitions are not preserved, destroys the “map” of underlying data and data 
locations when the partition is formatted. The previous partition data is then only recoverable by forensic techniques, 
and is vulnerable to complete destruction if overwritten by data stored according to the new partition “map.” Note 
that in the before image above, each disk partition (Labeled "volX," e.g. “voll,” for "volume") is identified together 


with the addresses of the beginning block and ending block for each volume. 
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By comparing the images, it is evident that the disk was re-partitioned, reformatted, and the previous data map 
completely destroyed by overwriting it with new data, rendering the prior data (mostly) unrecoverable. 


Forensic examination of the system can reveal remnants of deleted data. When a computer deletes a file, it does not 
erase the data; it merely changes the first character of the filename to a non-printable character recognized by 
software that accesses the disk. This first character tells the operating system to no longer display the file as it is 
marked as a deleted file, and the space occupied by the disk is marked as reusable. 


Each block on the disk is the smallest unit of disk space that can be used. The size of all blocks on the disk are 
determined when the disk is formatted. The smallest disk block size in common use is 512 bytes. Even if a file only 
occupies 50 bytes of disk space, the entire 512 byte block is marked as "in use". 


If a file of 500 bytes is written to the disk, it occupies one block of disk space, with the last 12 bytes (on a newly 
formatted disk) each containing the numeric value zero (0). If this file is then deleted, and a file of 50 bytes is written 
to the same disk block, the first 50 bytes of the block contain the new file, and the next remaining 450 bytes of the 
disk block contain the data from the deleted file that previously occupied the disk block (followed by the 12 null (0) 
bytes of data). This data remnant is referred to as "File Slack Space" and is defined as any previous remnant data 
that remains on the disk and is not accessible via the operating system nor allocated as an accessible file. 


Special forensic software is required to access file slack space, and the data it contains are partial remnants of 
previous system data. This data may be of use in forensic investigation, and forensic tools often identify it. File Slack 
is identified here for clarity and better understanding of these data. 
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Website Server Log Files Missing 


Figure 8 - EMS Server (5.11-CO) Web Server Log Files Before 
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Aweb server provides information to external web clients (via "web browser" software) using the HyperText Transfer 
Protocol (HTTP). This information can include both read and write access to databases and static presentation of 
information. 


Some software system designs utilize an Ethernet network interface that is essentially an internal connection to itself, 
known as a loopback interface. Thus the presence of a Web Server, by itself, does not indicate a connection to an 
external ethernet interface. However, such an external connection may be indicated by the data within web server 
logs, which are stored by default in Microsoft operating systems with Microsoft Internet Information Services (IIS) 
installed, in a “logs” subfolder to the “inetpub” folder. That log data would include information regarding what web 
pages and data were accessed and whether it was accessed from within the server (loopback) or via an external 
network connection. 


In these before and after views of the same web server directories, it is clear that the web server logs have been 
destroyed by or during the Dominion/CO Secretary of State DVS D-Suite 5.13 modification. 


This log data is required to verify that the election system was not accessed by an external, unauthorized device, but 
due to the specific and unusual installation method for a critical computing system, chosen by Dominion Voting 
Systems and endorsed by the CO Secretary of State, these critical data files with election-related data have clearly 
been destroyed on the Mesa County EMS Standard Server. 
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Server Microsoft SQL Server Installation Log Files Missing 
Purpose: The Database Management System that is used to hold actual ELECTION DATA — votes from each ballot. These 
log files contain information detailing the installation events of SQL Server. 


Figure 10 - EMS Server (5.11-CO) MS SQL Server Installation Log Files Before 
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These log files were created by installing the SQL Server Database Management System software and contain data 
regarding the Initial installation of the software. Ina full forensic investigation, these data are part of the information 
that investigators require to determine a baseline from which can be determined what changes were made, by whom, 
when the changes were made, and much more on a system with properly configured log recording. Therefore, these 
data are Election Related as they document not only the configuration but its changes and are relevant to the Integrity 
of the election. 


Figure 12 is an example of log content from the jal software зефир. It tells us what (Microsoft) software executes, 
where data is stored (the G: drive), and it shows us what Registry values have been set during the installation. These 
are valuable should an investigation of an illegal computer intrusion occur, as they provide a record of the initial 
configuration during such an investigation. 


Figure 12 - Example of Log File Content from EMS Server (5.11-CO) Before 
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Server Microsoft SQL Server Log Files Missing 
Purpose: These log files keep track of events that occur within the SQL Server that manages the election databases. 


Figure 13 - EMS Server (5.11-CO) SQL Server Log Files Before 
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EMS Server Dell Server Updates Missing 


Purpose: These log files track installation of updates made to the various components of the servers, 
including updates to software for a remote-access card. 


Figure 15 - EMS Server (5.11-СО) Dell Server Update Files Before 
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Several log files of great importance to an investigation are shown in Figure 16. The SAS RAID firmware and drivers 
logs tell us about the functionality of hard disk controllers (RAID is an acronym for Redundant Array of Independent 
Disks) and about this storage redundancy's physical capability. Network Firmware logs tell us which hardware devices 
were updated with new firmware, and the version allows us to trace back to its network (and possibly Internet) 
functionality. The application of iDRAC controller firmware may indicate the presence of a special hardware 
controller intended to permit complete remote control of the computer system. This iDRAC controller is often used 
when a data center must be located an inconvenient distance away from its owner and/or operators, or for example, 
when such a computer might be physically located at an Internet Service Provider's secure data center. The iDRAC 
controller permits a remote user to remotely turn on the power to the server, reboot it, access administrative control 
functions, and make changes to the server, OUTSIDE THE CONTROL, or even the awareness, of the local computer 
operator and its operating system. Among the changes possible via an IDRAC are changes to the BIOS (Basic 1/0 
System) including those firmware settings that include the computer Clock, boot device order, which disks or other 
data storage devices are used to boot the computer, and some other computer capabilities. 


Take note of what files remain following the update. 


Not only are the files in an entirely different directory, but the file modification dates have changed, and more 
importantly, these logs are for DIFFERENT versions of the software, and the previous logs have been overwritten. 


Physical examination of the EMS computer system is required to verify the presence or absence of an IDRAC 
controller, however it is highly irregular for update software to install updates to software for a hardware device that 
has not been installed. 
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Server ‘Administrator’ WebCache Log Files Overwritten 
Purpose: These log files store information about websites visited, files opened, etc. 


Figure 17 - EMS Server (5.11-CO) Administrator WebCache Log Files Before 
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Server ‘emsadmin’ WebCache Log Files Overwritten 
Purpose: These log files store information about websites visited, files opened, etc. 


Figure 19 - EMS Server (5.11-CO) "emsadmin" WebCache Log Files Before 
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The WebCache log files have been overwritten. IF the computer has been used on the Internet or with ANY webserver 
(even one on the local network, including this computer's OWN webserver), these WebCache files indicate the 
connections that were sought, as well as files that were opened. These may provide critical evidence that the system 
has been connected to a network, including networks that have access to the Internet. THESE ARE NOT the same files 
in the before and after images. They have been deleted and replaced. 


Here is a small subset of some of the information that was found on the Before image in these WebCache log files: 


Figure 21 - EMS Server (5.11-CO) Webcache Log File Content Before 


Container_15 [Table ID = 49, 25 Columns] ~“ | 
Entryld Containerld Unt AccessedTime 

әз 15 :2020060820200615: DVSAdministrator®:Host: This PC 132368189382665280 
92 15 :202006082020061“: DVSAdministratorile:///C:/Users/ Administratoi/Desktop/DVSSc20Adjudication*t2023:20Key.plx 132368180382821518 


For instance, the above log file entry seems to show a DVS Adjudication Encryption Key was accessed, where it was 
stored and accessed from, and when it was accessed. 


Figure 22 - EMS SErver (5.11-CO) Webcache Log File Content Before - I! 
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үө 18 2021051820210519: emsadminGile:///F:/Logs Е е - 132856531 13082047 | 
Еј ів 2021051820210519: emsadrnin&+Host Thiz РС 132656341 190576330 | 
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ler 18 :20271051820210519 emsadmin Gfile://emsserver/nas/2020%20Mesa%20Ccunty'%?0General/Resuks/ Tabulator00004/Batch2003/images/090)4_02003_000UDN.tit 132658342760262058 | 


In addition, the above log file entry seems to show several interesting files (a windows 'evtx' log file being opened 
from an external attached USB flash drive, and a ballot detail file and even a ballot image from Batch 2003 being 
opened from a Network Attached Storage device) 


Without a forensic Before image prior to a Dominion ‘Update’, this type of potentially critically-important forensic 
information could be, and likely would be, lost forever. 
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Server SQL Server Management Studio (SSMS) Log Files Overwritten 


Purpose: These log files track the installation of the SQL Server Management Studio, which is used to get into the back- 
end of the election databases. 


Figure 23 - EMS Server (5.11-СО) SSMS Log Files Before 


Figure 24 - EMS Server (5.13) SSMS Log Files After 
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Server CBS Log Files Overwritten 


Purpose: These Log Files contain detailed information about installed updates. They could contain evidence of 
changes to the server that would cause decertification of the system. 


Figure 25 - EMS Server (5.11-СО) CBS Log Files Before 
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Server Election Databases Missing 
Purpose: This folder holds all the databases (votes, information regarding batches, when they were processed, how 
many were processed, who they were processed by, and much more). There are also multiple extra databases 
that contain information regarding ballot adjudication. 
Figure 27 - EMS Server (5.11-CO) Election Databases Before 
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Server DHCP Log Files Missing/Overwritten 


CASE 0:22-cv-02290-ECT-ECW Doc. 35-3 Filed 09/30/22 Раде 32 of 47 


Purpose: DHCP Log Files can show evidence regarding computers or other devices being connected to the network. 


Figure 29 - EMS Server (5.11-CO) DHCP Log Files Before 
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Server Event Logs Missing/Overwritten 


Purpose: These Dominion Log Files keep track of election/project-related activity. The Windows Server event logs 
outside the red box keep track of much of the activity on the server. 


Figure 31 - EMS Server (5.11-СО) Event Logs Before 
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Figure 32 - EMS Server (5.13) Event Logs After 
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Below are some screen shots of the kind of Election-Related information (such as cast vote records, audit marks, 
image retrievals, result file loads, etc.) in the EMS Archive Logs that are missing After the Dominion Update: 


Figure 33 - Examples of Election Data Missing After Update 
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Server System Users are Missing 


Purpose: These folders store the information for each user account on the server. 


Figure 34 - EMS Server (5.11-CO) System Users Before 
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Figure 35 - EMS Server (5.13) System Users After 
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Many User Accounts are now missing, and those 
that still exist have been recreated and do not 
contain the information that was in the Before 
folders. 
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Server Virtual Directories Log Files Missing 


Purpose: These are the Log Files that contain information, warnings, and errors relating to the Website Server as the 
server processes election projects that have been set up. 


Figure 36 - EMS Server (5.11-CO) Virtual Directory Log Files Before 
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Server Windows Defender Log Files Missing/Overwritten 
Purpose: These log files keep track of the activity of the built-in Anti-Virus software. 


Figure 38 - EMS Server (5.11-СО) Windows Defender Log Files Before Dominion Update: 
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Figure 39 - EMS Server (5.13) Windows Defender Log Files After 
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Server List of .log files in Before Image that were Deleted. 


This list that follows this paragraph is a comparison of the Before and After forensic images of the Mesa County EMS 
Server. It is a comparative list of files that were deleted — either deliberately erased or overwritten with disregard 
for the preservation of these files, some of which contain ELECTION RELATED data. 


Each line in the image below is the full path listing to each one of the 807 files that end with the word "log" found 
е efore the Domini: s applie: 


The Color code shows what happened to them After Dominion's update. Of all the files on the server Before the 
update — files highlighted in Green are still present on the server after the update, while files highlighted in light red 
have been overwritten and are deleted and not present in the image taken After the update. 


Figure 40 - EMS Server Before/After Јов File Comparison List 
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Significant Number of Logfiles Missing 


The dataset from which this spreadsheet was created was extracted from the EnCase images of the original evidence 
оп the hard drives of the EMS Server and had a traceable chain of custody. While the images above are too small to 
be readable, the entire content of this list is reproduced in Appendix A. 


Of the original 807 ".log" files on the EMS Server before Dominion's update, only 302 remain, and 505 ".log" files 
have been deleted or overwritten. 


Of the files that remain, the forensic examination has not yet verified whether the content of these files (which have 
the same filename and Path — e.g., in the same directories) is unchanged. The files that have been deleted DO include 
files that constitute Election Records and are subject to Federal and State data retention laws. 


This list is only 807 files, and the text size is so small that the content is barely readable. The list of files has been 
broken down into small subsets because the number of files on the entire server totals 363,321 files, many of which 
are provided by Microsoft as part of the Windows Server 2016 operating system and its associated application 
programs and are not Election Related and do not contain actual Election Data. 
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List of .evtx Event Log Files deleted 
Figure 41 - EMS Server (5.11-CO) List of .evtx Event Log Files Before 
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Figure 42 - EMS Server (5.13) List of .evtx Event Log Files After 
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This list that follows this paragraph is a comparison of the Before and After forensic images of the Mesa County EMS 
Server. It is a comparative list of files that were deleted — either deliberately erased or overwritten with disregard 
for the preservation of these files, some of which contain ELECTION RELATED data. A readable list is in Appendix C. 


Each line in the image below is the full path listing (e.g., comparision of file names, not content) to each one of the 


580 files that end with the word ".evtx" found оп the EMS Server before the Dominion update was applied. 190 
Event Log Files were deleted. 


The Color code shows their status After Dominion's update. Of all the files on the server Before the update — files 
highlighted in Green are still present (although possibly changed) on the server after the update, while files 
highlighted in light red have been overwritten and are deleted and not present in the image After the update. 


Logs\Microsoft- Windows-Kernel-WHEAS%4Errors.evtx 

Logs\Key Management Service.evtx 

Logs\Application evtx 

Logs\HardwareEvents.evbx 

Logs\internet Explorer.evix. 

Logs Wicrosoft-Client-Licensing-PlatformtéAAdmin evtx 
LogsWicrosoft-Windows-Application-ExperienceséAProgram-Compatibility-Assistant.evtx 
Logs\Microsoft-Windows-AppModel-Runtimess4Admin.evtx 

Logs Wicrosoft-Windows-AppReadinesstéaAdmin.evtx 
Logs\Microsoft-Windows-AppxDeployment%4Operational.evtx 
LogsWicrosoft-Windows-AppXDeploymentServersédRestricted evtx 

Logs Wicrosoft-Windows-Codelntegritysé4Operational.evtx 
LogsWicrosoft-Windows-Containers-Woifssé4Operational.evtx. 
Logs\Microsoft-Windows-Containers-Wenfs%4Operational.evtx 
LogsWicrosoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provideriéa Admin. evtx 
Logs Wicrosoft-Windows-Crypto-DPAPISé4BackUpKeySvc.evtx 

Logs Wicrosoft-Windows-Crypto-DPAPISé4Operational емх 

Logs Microsoft-Windows-DevicesetupManagerséa Admin.evtx 
LogsWicrosoft-Windows-DevicesetupManagerséAOperational.evtx 

Logs Wicrosoft-Windows-ApplicationResourceManagementSystems&4Operational evtx 
Logs Wicrosoft-Windows-Dhcp-ClientSé4Admin.evbx 

Logs Microsoft-Windows-Dhcpv6-ClientséAAdmin.evtx. 

Logs Wicrosoft-Windows-Hyper-V-Guest-Driverssé4Admin.evtx. 
Logs\Microsoft-Windows-International%4Operational.evtx, 
LogsWicrosoft-Windows-AppReadinessté4Operational.evtx 
LogsWicrosoft-Windows-Kernel-BootsAOperational.evtx 
‘Logs\Microsoft-Windows-Kernel-l0%4Operational.evtx 

Logs\Microsoft- Windows-Kernel-EventTracing%4Admin.evtx 
Logs\Microsoft-Windows-Kernel-Powers4Thermal-Operational evtx 
Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx 
Logs\Microsoft-Windows-Kernel-StoreMgrs64Operational.evtx 
Logs\Microsoft-Windows-AppxDeploymentServer%4Operational.evtx 
Logs\Micrasoft- Windows-Kernel-WHEAS64Operational.evtx 
‘Logs\Microsoft-Windows-known Folders API Service.evtx 
Logs\Micrasoft-Windows-Liveld%64Operational.evtx 
Logs\Microsoft-Windows-MUI%64Admin.evtx 

Logs\Microsoft- Windows-GroupPolicy%64Operational evtx 
Logs\Microsoft-Windows-MUI%4Operational.evtx 
Logs\Microsoft-Windows-NCSI%4Operational.evtx 
Logs\Micrasoft-Windows-NetworkProfile%4Operational.evtx 
Logs\Micrasoft-Windows-Ntfs%4Operational.evtx 
LLogs\Microsoft-Windows-Ntfs%64WHC evtx 
Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx 
Logs\Microsoft- Windows-RemoteDesktopServices-RdpCoreTS%4Admin.ovtx 
Logs Wicrosoft-Windows-SettingSyncéADebug. evbx. 

Logs\Microsoft- Windows RemoteD esktopServices-RdpCoreTS%4Operational.evtx 
Logs\Microsoft-Windows-Kernel-PnP%4Configuration evtx 

Logs\Microsoft- Windows-SettingSyncs4Operational.evtx 
Logs\Microsoft-Windows-Shell-Coress4ActionCenter.evtx 
Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx 
Logs\Microsoft-Windows-Shell-Core%al ogoniTasksChannel.evtx 
Logs\Microsoft-Windows-Shell-Core%4Operational.evtx 
Logs\Microsoft-Windows-SmbClient944Connectivity.evtx 
Logs\Microsoft-Windows-SMBClient%4Operational evtx 
Logs\Microsoft-Windows-SmbClientsé4Security.evtx 

Logs Microsoft-Windows-SMBServerSé4Audit.evtx 

Logs Wicrosoft-Windows-SMBServerséConnectivity evtx 
Logs\Microsoft-Windows-SMBServer%40perational.evtx 


1 
‘Windows\system32\winevt\Logs\Microsoft-Windows-TaskScheduler%4, 
‘Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%40p 
‘Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operatio 
Windows\system32\winevt\Logs\Microsoft-Windows-AppXDeployment 
‘Windows\system32\winevt\Logs\Microsaft-Windows-AppXDeployment 
Windows\system32\winevt\Logs\Microsoft-Windows-International9640 
‘Windows\system32\winevt\Logs\Microsoft-Windows-MUI%4Operation 
‘Windows\system32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evt 
Windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewal 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Iphlpsvc%40pera 
‘Windows\system32\winevt\Logs\Microsoft-Windows-WMI-Activity%4C 
‘Windows\$ystem32\winevt\Logs\Microsaft-Windows-AppReadiness%4, 
‘Windows\system32\winevt\Logs\Microsoft-Windows-AppReadiness%4) 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-ApplicationResou 
‘Windows\system32\winevt\Logs\Microsoft-Client-Licensing-Platform%sc 
‘Windows\system32\winevt\Logs\system evtx 
Windows\system32\winevt\Logs\Application.evtx 
Windows\System32\winevt\Logs\Security.evtx 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4, 
Windows\$ystem32\winevt\Logs\Windows PowerShell.evtx 

Windows\ ystem32\winevt\Logs\Key Management Service.evtx 
Windows\system32\winevt\Logs\Internet Explorer evtx 

‘Windows\ ystem32\winevt\Logs\HardwareEvents.evtx 

‘Windows\ ystem32\winevt\Logs\Micrasoft-Windows-Wemsvc%4Opera 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-Application-Expet 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Program-Compat! 
‘Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client’44Ad 
‘Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices- 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-TerminalServices- 
‘Windows\system32\winevt\Logs\Microsoft-Windows-WinRM%4Operat 
‘Windows\System32\winevt\Logs\Microsaft-Windows-Windows Defend 
‘Windows\ ystem32\winevt\Logs\Microsoft-Windows-Windows Defend 
‘Windows\system32\winevt\Logs\Microsoft-Windows-UserPnp%aDevict 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-UserPnp%4Actior 
‘Windows\System32\winevt\Logs\Micrasoft-Windows-DeviceManagem« 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-Kemel-Power%a1 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Or 
‘Windows\ ystem32\winevt\Logs\Microsoft-Windows-StateRepository% 
‘Windows\System32\winevt\Logs\Micrasoft-Windows-StateRepository%t 
Windows\$ystem32\winevt\Logs\Micrasoft-Windows-Kernel-PnP%4Cor 
‘Windows\system32\winevt\Logs\Micrasoft-Windows-Kernel-ShimEngin 
Windows\$ystem32\winevt\Logs\Micrasoft-Windows-Ntfs%4Operation 
Windows\system32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx 
Windows\system32\winevt\Logs\Microsoft-Windows-VolumeSnapshot- 
‘Windows\system32\winevt\Logs\Mictosoft-Windows-Kernel10%4Oper 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-Codeintegrity%64¢ 
‘Windows\ ystem32\winevt\Logs\Microsoft-Windows-Kemel-WHEA%4E 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4( 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewal 
‘Windows\ ystem32\winevt\Logs\Microsoft-Windows-NCSI%64Operatior 
‘Windows\ ystem32\winevt\Logs\Microsoft-Windows-WinlNet-Config% 
Windows ySystem32WinevLogsWicrosoft-Windows-Crypto-DPAPIséaC 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Crypto-DPAPISS4E 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-DeviceSetupMan: 
Windows\ ystem32\winevt\Logs\Micrasoft-Windows-DeviceSetupMan: 
‘Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs' 
‘Windows\$ystem32\winevt\Logs\Microsoft-Windows-Containers-Wenf: 
Windows\system22\winet\Logs\Microsft-Windows-GroupPalicy40y 
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Logs\Microsoft-Windows-SMBServer%4Security.evix. 

Logs\Microsoft-Windows SMBWitnessClient3%4admin.evtx 
Logs\Microsoft-Windows-SMBWitnessClient%4informational.evtx 
LogsWicrosoft-Windows-StateRepositorysé4Operational.evtx. 

Logs Microsoft-Windows-StateRepositorySé4Restricted.evtx 

Logs Wicrosoft-Windows-TaskschedulertéAMaintenance evtx 

Logs Wicrosoft-Windows-Terminalservices-LocalsessionManagersé4Admin evtx 
Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evix 
Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin evtx 


Logs Wicrosoft-Windows-TerminalServices-RemoteConnectionManagers&4Operational.evix. 


Logs\Microsoft-Windows-Store%4Dperational.evtx 
Logs\Microsoft-Windaws-UniversafTelemetryClient%4Operational.evtx 
Logs\Microsoft-Windows-User Profile Service%4Operational.evtx 
Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx 
Logs\Microsoft-Windows-UserPnp%4DeviceInstall evtx 
LogsWMicrosoft-Windows-VolumeSnapshot-Driversé4Operational.evtx 
Logs\Microsoft-windows-Wcmsvc%4Operational.evix 
LogsWicrosoft-Windows-Windows Defender%40perational.evtx 
LogsWicrosoft-Windows-Windows DefenderséaWHC.evbx 
Logs\Microsoft-Windows-Windows Firewall With Advanced 
Logs\Microsoft-windows-WinlNet-Config%64ProxyConfigChanged.evtx 
Logs\Micrasoft-Windows-Winlogon%4Operational evtx 
Logs\Microsoft-Windows-WinRM%4Operational.evtx 


Logs\Setup evtt 

Logs\Windows PowerShell.evtx 

Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall емх 
Logs\Micrasoft-Windows-WMI-Activity%4Operational.evtx 

Logs\system evtx 

Logs\security.evtx 

‘Windows\System32\winevt\Logs\Setup.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-02-27-12-21-20-622.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-07-11-20-46-32-189.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-06-30-13-45-03-347.evtx 
Windows\system32\winevt\Logs\Archive-EMS System-2019-07-08-02-26-04-899.evtx. 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-10-30-19-26-37-188.evtx 
Windows\System32\winevt\Logs\Archive-EMS System-2019-07-04-08-05-33-867.evtx. 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-07-30-16-29-10-602.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-07-15-15-07-04-381.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-03-02-02-52-11-569.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-04-19-00-10-16-214.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-07-26-22-08-42-827.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-12-11-22-05-26-089.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-02-23-04-20-21-835,evtx 
Windows\System32\winevt\Logs\Archive-EMS System-2020-05-26-12-11-25-223.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-04-15-07-09-24-325.evtx. 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-06-04-04-35-23-707.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-04-07-21-05-41-859.evtx. 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-06-18-19-18-33-633.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-02-09-23-20-20-681.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-06-07-22-53-09-400.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-05-19-09-05-03-069.evtx 
Windows\System32\winevt\Logs\Archive-EMS System-2021-05-19-03-17-30-918.evtx 
Windows\System32\winevt\Logs\Archive-EMS System-2019-10-02-11-09-22-083.evtx. 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-02-09-15-51-43-896,evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-02-09-19-15-04-259.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-04-28-04-14-58-545,evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2021-04-06-04-10-43-774,evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-03-24-00-59-56-063.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-01-08-17-03-22-249.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-11-10-09-23-03-203.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-11-06-16-37-56-482,evtx 
Windows\System32\winevt\Logs\Archive-EMS System-2019-12-02-15-06-36-405.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-10-07-05-51-17-641.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-03-06-06-07-29-506.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-10-27-06-12-01-889.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-11-14-02-20-35-061.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2021-03-16-20-09-20-723.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-09-26-09-07-58-407.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-07-08-10-16-08-709.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-10-26-06-16-16-735.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-06-21-16-36-38-559.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-11-03-08-53-17-228.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-10-23-15-37-23-347.evtx. 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-11-13-00-00-07-540.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2020-10-21-03-24-37-573.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2021-01-15-03-21-17-842.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-12-10-01-06-03-529.evtx 


‘Windows systema2\winevt\Logs\Microsof- Windows-User Profile Servi 
Windows\system32\winevt\Logs\Microsoft- Windows-Liveld%4Operatic 
Windows\system32\winevt\Logs\Microsoft-Windows-SMBClients440pe 
‘Windows\ System32\winevt\Logs\Microsoft-windows-SmbClient964Con 
Windows\system32\winevt\Logs\Microsoft- Windows-SmbClientSé4Seci 
‘Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon’é40pe 
Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%640r 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Settingsync%4De 
Windows\system32\winevt\Logs\Microsoft-Windows-DateTimeContral 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Known Folders A 
Windows\system32\winevt\Logs\Microsoft-Windows-Shell-Core%4Actl 
Windows\system32\winevt\Logs\Microsoft-Windows-Shell-Core%4Ope 
Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4App_ 
Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Logi 
‘Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymen' 
Windows\system32\winevt\Logs\Microsoft-Windows-AppModel-Runti 
‘Windows\ System32\winevt \Logs\Microsoft-Windows-ServerManager-t 
Windows\$ystem32\winevt\Logs\Microsoft-Windows-Store%4Operatio 
Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification- 
Windows\system32\winevt\Logs\Microsoft-Windows-PushNotification- 
Windows\system32\winevt\Logs\Microsoft- Windows-TWinU}%40peral 
1=m32\winevt\Logs\Microsoft-Windows-Application-Expe 
Windows\System32\winevt\Logs\Microsoft-Windows-Application-Expe 
Windows\system32\winevt\Logs\Microsoft-Windows-Application-Expe 
‘Windows\system32\winevt\Logs\Microsoft-Windows-Application-Expe 
Windows\system32\winevt\Logs\Microsoft-Windows-Security-SPP-UX- 
Windows\system32\winevt\Logs\Microsoft-Windows-BackgroundTaskl 
‘Windows\System32\winevt\Logs\Microsoft-Windows-ServerManager-N 
Windows\$ystems2\winevt\Logs\Microsoft-Windows-ServerManager-N 
Windows\system32\winevt\Logs\Microsoft-Windows-Forwarding%40p 
Windows\system32\winevt\Logs\Microsoft-Windows-ServerManager-h 
‘Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaus 
Windows\$ystem32\winevt\Logs\Microsoft-Windows-DatalntegrityScat 
Windows\System32\winevt\Logs\Microsoft-Windows-DataintegrityScat 
Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Schedt 
Windows\$ystem32\winevt\Logs\Microsoft-Windows-HomeGroup Con! 
‘Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Connecteds 
Windows\system32\winevt\Logs\Microsoft-Windows-StorageSpaces-M 
Windows\System32\winevt\Logs\Microsoft-Windows-Diagnasis-DPS%4 
Windows\System32\winevt\Logs\Microsoft-Windows-Storage-ClassPnP 
Windows\system32\winevt\Logs\Microsoft-Windows-RestartManager3 
Windows\system32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4 
‘Windows\system32\winevt \Logs\Microsoft-Windows-CAPI2%4Operati¢ 
Windows\$ystem32\winevt\Logs\Microsoft-Windows-WindowsUpdate! 
Windows\System32\winevt\Logs\Microsoft-Windows-NlaSvc%40perati 
Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%440p 
Windows\system32\winevt\Logs\Microsoft-Windows-Powershell4ad 
к Windows-Diagnosis-PCW% 
\winevt\Logs\Microsoft-Windows-Storage-storport! 
ма System.evix 
Windows\System32\winevt\Logs\Microsoft-Windows-Application Serve 
Windows\system32\winevt\Logs\Microsoft-Windows-Application Serve 
Windows\system32\winevt\Logs\OVs Adjudication.evtx 
Windows\System32\winevt\Logs\Micrasoft-Windows-CloudStorageWiz 
Windows\System32\winevt\Logs\Microsoft-AppV-Client%64Admin.evtx 
Windows\System32\winevt\Logs\Microsoft-AppV-Client%64Operational 
Windows\System32\winevt\Logs\Microsoft-AppV-Client%6aVirtual Appli 
‘Windows\System32\winevt\Logs\Microsoft-Rdms-UIs4Admin.evtx 
Windows\system32\winevt\Logs\Microsoft-Rdms-UI%64Operational.evt 
‘Windows\system32\winevt\Logs\Microsoft-User Experience Virtualizat 
Windows\System32\winevt\Logs\Microsoft-User Experience Virtualizati 
Windows\System32\winevt\Logs\Microsoft-User Experience Virtualizat 
Windows\system32\winevt\Logs\Microsoft-User Experience Virtualizat: 
Windows\system32\winevt\Logs\Microsoft-Windows-AAD%4Operatior 
Windows\System32\winevt\Logs\Microsoft-Windows-All-User-Install-A 
Windows\System32\winevt\Logs\Microsoft-Windows-Allioynt%4Operat 
Windows\system32\winevt\Logs\Microsoft-Windows-AppHost364admi 
Windows\system32\winevt\Logs\Microsoft-Windows-AppiD%4Operati 
Windows\system32\winevt\Logs\Microsoft.\ чн прикачи НА 
jLocker%4EXi 


‘Windows\systema2\winevt\Logs\Microsoft-Windows-AppLockersé4Pac 
Windows\system32\winevt\Logs\Microsoft-Windows-AppLockers4Pac 
Windows\system32)\winevt\Logs\Microsoft-Windows-AppxPackaging%: 
Windows\system32\winevt\Logs\Microsoft-Windows-AssignedAccess% 
‘Windows\System32\winevt \Logs\Microsoft-Windows-AssignedAccessB 
a cc 
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‘Windows\system32\winevt\Logs\Archive-EMS System-2019-11-25-05-09-12-916.evtx 
‘Windows\ system32\winevt\Logs\Archive- EMS System-2021-01-22-13-12-21-043.evtx 
‘Windows\system32\winevt\Logs\Archive- EMS System-2019-12-06-08-06-21-993.evtx 
‘Windoows\ System32\winevt\Logs\Archive-EMS System-2020-11-05-17-16-37-197.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2021-05-16-23-08-11-827.evtx 
Windows\system32\winevt\Logs\Archive-EMS System-2021-04-17-01-19-18-484.evtx 
‘Windows\ system32\winevt\Logs\Archive-EMS System-2021-05-21-01-39-07-647.evtx 
Windows\system32\winevt\Logs\Archive-EMS System-2021-03-04-12-10-17-214.evtx 
Windows\system32\winevt\Logs\Archive-EMS System-2020-07-12-02-56-47-489.evtx 
Windows\system32\winevt\Logs\Archive-EMS System-2021-05-21-07-26-54-297.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-04-04-04-03-42-737.evtx 
‘Windows\ System32\winevt\Logs\Archive-EMS System-2020-11-16-16-31-58-059.evtx. 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-11-21-12-09-41-781.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-12-28-14-04-05-77 Levtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2020-03-12-22-02-14-487.evtx 
‘Windows\system32\winevt\Logs\Archive-EMS System-2019-12-13-18-05-49-770.evtx 
‘Windows\System32\winevt\Logs\Archive-EMS System-2019-11-17-19-10-01-322.evtx 
‘Windows\ system32\winevt\Logs\Archive-EMS System-2021-05-05-14-13-33-324.evtx 
Windows\system32\winevt\Logs\Archive-EMS System-2021-05-14-13-10-56-695.evtx 
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Analysis Summary 


Analysis of the Mesa County Dominion Voting Systems EMS server identified that extensive deletion of both election 
data and election-related data, comprising election records which must and should have been preserved under 
Federal and Colorado law, has occurred either as a result of or coincident with the vendor’s and CO Secretary of 
State’s modification of the system from version 5.11-CO to 5.13. This deleted data is critical to any effort to 
reconstruct events taking place on the voting systems, and to determine if unauthorized access or operation of the 
voting systems took place. 


Furthermore, the EMS server application logging functions are configured to “Overwrite events as needed” if 
arbitrarily-selected file storage sizes are exceeded, which could predictably and likely has resulted in the systematic, 
automated deletion of logfile content comprising election-related data. 


This systemic deletion of logfile data requires additional investigation. 


CONCLUSION 


This forensic examination found that significant election record preservation requirements under the 2002 VSS and 
Federal and state law HAVE NOT BEEN MET and further that destruction of Election-Related Data, specifically critical 
logfiles, has occurred. This destruction is not incidental or minor but is highly significant. 


These findings have been demonstrated in this report and evidence has been presented demonstrating conclusively 
to both computer systems experts as well as legal professionals and the general public at large that the facts in these 
findings support the conclusions that: 


1) Election-related data and election data explicitly required to be preserved, as described in the 2002 VSS 
criteria referenced in this section, HAS BEEN DESTROYED IN VIOLATION OF THE LAW, and 


2) The specific configuration settings of the server examined lead to the understanding that Certification 
Requirements for Voting Systems have likely not been met despite this system having been certified and 
thereby approved for use in Colorado by the Colorado Secretary of State. 


Further investigation is required to determine the full scope of non-compliance with legal mandates for voting 
systems and election records, and whether the non-compliance is deliberate or simply negligent. 
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Doug Gould Forensic Addendum 


Major Forensic Cases 


1986 - Disclosure of National Security Information 

Discovered a leak of highly classified information and was able to identify the perpetrator within 
a group of 15 people. The FBI and US Naval Investigative Service brought this to resolution. 
Early 19905 — US Secret Service investigation, “Mothers of Doom" hacker case 

At USSS Evidence Lab, in response to a request for assistance from USS SA Jack Lewis, performed 
evidence recovery and identified 800 pages of evidence, invalidating immunity of a suspect’s 
testimony in a proffer session. 

Late 1990/5 — Interpath, a North Carolina Internet Service Provider (ISP) 

This ISP was a tier-1 (top level) provider infected with Stacheldraht malware. Investigated the 
live (running) server and identified that all evidence on disc had been deleted. The only 
remaining evidence was a running program in memory, which was recovered. This case changed 
the Best Practice in Forensics — no longer is the first step necessarily removing the power. Had 
that been done no evidence would remain in this case. 

Late 1990’s — As senior security administrator for the US EPA, investigated a complaint from the 
White House of computer intrusions and discovered an international attack involving 4 countries. 
Wrote monitoring and tracking software to capture the perpetrator online, brought together the 
FBI, Royal Canadian Mounted Police (RCMP), Scotland Yard and Deutche Bundespost in a live 
investigation tracking the intruder resulting in an arrest in Germany. 

South Carolina — A Public Works supervisor accused of violation of county policy was fired and 
brought countersuit. Forensic investigation recovered 4 3" thick binders of evidence showing 
sexual misconduct. Countersuit dismissed. 

Discovered Al Qaida attack plans targeting US Soil. Working with the FBI, the perpetrator, who 
was a foreign citizen in the US. Arrest made within 48 hours and the attack was thwarted. 
Mid-2000’s — Florida vs. Rabinowicz — in a case where possession of contraband was the only 
element of proof, stipulated that the contraband was authentic and present. | proved 
forensically that the defendant was not technically in possession of the evidence and that 
evidence was planted. Qualified as an expert witness and provided expert testimony in this case. 
Mid-2000's — Identified a leak of national security from Oak Ridge National Laboratory involving 
chemical weapon information using forensic analysis and was able to identify the perpetrator. 
DSS responded and resolved the case. 

Mid-2000's — Investigated sabotage of a health industry contractor. The systems administrator 
had been fired and sabotaged the system. Solved the case and the administrator went to prison. 


Instructor of Forensics 


Taught Forensics and Advance Forensic Techniques to State Law Enforcement, Military and major 
corporate customers at the World Institute for Security Enhancement. 

Taught Technical Surveillance Countermeasures (TSCM) course for government and industry at the World 
Institute for Security Enhancement. 

Wrote the entire course and taught the entire CISSP curriculum at Able Information Systems. 


